Hard time to have VCC glitching succeed

I bought the chipwhisperer in 2016 with a XMEGA 128D4 target.
it was pretty simple to successfully glitch the XMEGA by following the clock glitching tutorial but now I have a hard time to get the Vcc glitching tutorial works.
I’m following wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks but without success. Using the glitch explorer I let the Capture tool test Width and Offset parameters from 1 to 49 (step 0.5) and -49 to 49 (step 0.5) but didn’t get anything from it.
As I’m a newbie and know pretty much nothing in hardware I’m surely missing something obvious. Could someone explain me how to find the correct parameters to glitch this target?

Thanks

Joe

Joe,

Glad to hear you’re getting some use out of the ChipWhisperer!

Glitching is hard, so don’t get too hung up on this. Sometimes I find that my targets just don’t care about VCC glitches - they either act normally or turn off. I think there are a few more things you can try, though:

  • Double-check your glitch settings. Do you have one (or both) of the HS-Glitch Out Enable settings turned on? Is your glitch module clock locked to the right input? Do you see some kind of glitch on the power trace?
  • Have you tried changing the Repeat setting in the glitch module? Sometimes, one pulse isn’t long enough - if there’s too much capacitance around, the target won’t even notice that you tried to cut the power. Maybe try sweeping this from, say, 1 to 10 along with the other setting sweeps.

Hi gdeon,

Thanks for you answer.

As the hardware comes directly from newae I was expecting it will be easy to glitch it :smiley:

I’m following the tutorial wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks

See section 5.2.b from the tutorial, I checked the box marked “HS-Glitch Out Enable (Low Power)”.
Do you mean I should try to check the other or even both? Could you please explain me what will be the effect?

Yeah I see the glitch on the power trace :slight_smile:

Yes I tried several parameters manually. The board either reset or keep running…

It’s definitely easier with our hardware than it is with any old board! However, these things can still be finicky - some days, the moon is in the wrong phase and it just refuses to glitch.

The ChipWhisperer uses a “crowbar” circuit to produce these voltage glitches. There’s a picture of the circuit in the tutorial so you can see what’s going on: a transistor is used to short the power rail to GND for a very short amount of time. There are two MOSFETs on the CW-Lite that you can use to do this. You can see them beside the glitch connector: there’s a big one on the top and little one on the bottom.

If you enable the Low Power option, the glitch module output is connected to the small MOSFET. The High Power option connects to the larger MOSFET. The bigger one can handle more power, so it might be able to drain the power from the XMEGA more quickly. It’s worth a try!

The glitch settings that work can be very precise - for example, I’ve seen glitches that work when the offset is 6 or 7, but not 5 or 8. Don’t be surprised if you can’t find working parameters manually! It’s much easier to just set up the glitch explorer and let it do the hard work :slight_smile:

Hi Joe,
Any update? Have you got a successful VCC glitching with WhisperLite and XMEGA target? I’m having the same problem. Using the lower power MOSFET does nothing and high power always reset the target. Can’t break into the while loop. No problem with clock glitching, just VCC glitching that drive me nut.

Has anyone successfully done VCC glitching on WhisperLite with XMEGA target? Please post the software settings if you do.

Hi everyone,

effectively it is really hard to perform successful vdd glitching here.
When I try powerful parameter, I have the following error:

An error has occurred:
XMEGA command 20 failed:err=1,timeout=1
raceback (most recent call last):
File “/home/xisco/CW/software/chipwhisperer/capture/ui/CWCaptureGUI.py”, line 112, in
self.capture1Act = QAction(QIcon(’:/images/play1.png’), ‘Capture 1’, self, triggered=lambda: self.doCapture(self.api.capture1))
File “/home/xisco/CW/software/chipwhisperer/capture/ui/CWCaptureGUI.py”, line 219, in doCapture
if callback():
File “/home/xisco/CW/software/chipwhisperer/common/api/CWCoreAPI.py”, line 313, in capture1
return ac.doSingleReading()
File “/home/xisco/CW/software/chipwhisperer/capture/api/acquisition_controller.py”, line 87, in doSingleReading
aux.traceArm()
File “/home/xisco/CW/software/chipwhisperer/capture/auxiliary/ResetCW1173Read.py”, line 70, in traceArm
self.resetDevice()
File “/home/xisco/CW/software/chipwhisperer/capture/auxiliary/ResetCW1173Read.py”, line 93, in resetDevice
CWCoreAPI.getInstance().getScope().scopetype.dev.getCwliteXMEGA().readSignature()
File “/home/xisco/CW/software/chipwhisperer/capture/ui/programmers_dialog.py”, line 259, in readSignature
self.xmega.find()
File “/home/xisco/CW/software/chipwhisperer/capture/api/programmers.py”, line 105, in find
sig, chip = self.xmega.find()
File “/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py”, line 161, in find
self.enablePDI(True)
File “/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py”, line 295, in enablePDI
self._xmegaDoWrite(self.XPROG_CMD_ENTER_PROGMODE)
File “/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py”, line 490, in _xmegaDoWrite
raise IOError(“XMEGA Command %x failed: err=%x, timeout=%d” % (status[0], status[1], status[2]))
IOError: XMEGA Command 20 failed: err=1, timeout=1

After that I cannot continue and I need to quit and restart CWCapture.
I need to reflash the .hex inside the xmega too.
Can you indicate me how I can avoid this error during my glitch parameters research please?
I am a little stuck here…:slight_smile:

Kind regards
sk

Hi,

I am also having some trouble VCC glitching the hardware. I am trying to do glitch1.

I uploaded some samples and created a video showing some of the problems I encounter
I am using the following hex

github.com/x8-999-github/cw-pro … litch1.hex

and running this script on CW-lite + the xmega target
github.com/x8-999-github/cw-pro … _glitch.py

I created a small video showing the Problems I currently encounter youtu.be/g9qwju9O6Gk
-The glitch do not happen every time
-Somewhere something goes wrong when the glitch width is set to 0 (CW keeps the line low)

I will continue debugging (clock glitching worked fine)

Thanks for the detailed report - will try to take a look at what is happening.

As a note the VCC glitching on the XMEGA target seems to not be too successful, I don’t know the exact reason but I typically am using VCC glitching on the STM32x or AVR target. Which one do you have there?

-Colin

So I continued trying to VCC glitch the xmega. So far still not success but we are slowly? getting closer.

  • I started using the https://wiki.newae.com/CW506_Advanced_Breakout_Board and I am now powering the xmega 3.3v via the banna plug. This gives more stability towards the CW (e.g. I did not see hangs any more)
  • with a glitch with of 17 I always get a normal output and with 18 I am getting a reset. playing with the fine adjust did not help here either.

I think that one of the problems is the way the glitch.c code is constructed. I will slightly modify the code to better be able to debug it by adding some need for input to before doing the glitch. Because currently if a glitch is results in a reset the code restart and triggers my scope.

ARM SCOPE RESET TARGET PRINT HELLO TRIGGER PRINT A

into

ARM SCOPE RESET TARGET PRINT HELLO WAIT FOR INPUT PRINT A TRIGGER

Hi

thanks ExMachina for the movie, visualising the error and the strange behaviour.
Any news please?

Regards.
sk

Hi,

It would really be nice to get more activity on the forum or IRC :confused:

Anyway using the new develop branch I started a new experiment and I again created a video showing some of the problems I am having.

youtube.com/watch?v=QpnVU7R … e=youtu.be

The system is not fully dis functional(and I can sometime glitch) but lack on feedback/support is making it less attractive.

Sometimes I have success

Hi, ExMachina.
Your pict have a few green points the right end.
Have you got a successful VCC glitching with ChipWhisperer 4.0.0 Alpha , right?

So I tried VCC glitching for long time with ChipWhisperer 3.5.4 and I still not be success yet.
I’m so trouble about it.
I will try to use ChipWhisperer 4.0.0 Alpha, and please follow me some advice if you have any other tips.

Thanks

Did you get the glitching software running satisfactorily? I’m considering using a CW Lite to glitch a third-party board.

Hello,

Is there is any script for voltage glitch like what exists for clock glitch?